1. Project Risk Management

2. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding to risk throughout the life of a project and in the best interests of meeting project objectives Risk management is often overlooked in projects, but it can help improve project success by helping select good projects, determining project scope, and developing realistic estimates 2 Information Technology Project Management, Fifth Edition, Copyright 2007

3. Negative Risk A dictionary definition of risk is “the possibility of loss or injury” Negative risk involves understanding potential problems that might occur in the project and how they might impede project success Negative risk management is like a form of insurance; it is an investment 3 Information Technology Project Management, Fifth Edition, Copyright 2007

4. Risk Can Be Positive Positive risks are risks that result in good things happening; sometimes called opportunities 4 Information Technology Project Management, Fifth Edition, Copyright 2007

5. Project risks vs. Security risks Two things are different Security risks are about the probability of breaking the system security Project risks are about the probability for the project to fail Each probability has a different ground that leads to the risk occurrence 5

6. Risks Management Processes The techniques have some common ground, e.g.: Identify risk factors Estimate a probability and an impact Risk factors are entirely different 6

7. Project Risk Management Processes Risk management planning… Risk identification: determining which risks are likely to affect a project and documenting the characteristics of each Qualitative risk analysis: prioritizing risks based on their probability and impact of occurrence Quantitative risk analysis: convert risk impact into figures (for example $$$) and prioritize Risk response planning: taking steps to…reduce threats to meeting project objectives 7 Information Technology Project Management, Fifth Edition, Copyright 2007

8. Project Risk Management Processes (continued) Risk monitoring and control: monitoring identified and residual risks, identifying new risks, carrying out risk response plans, and evaluating the effectiveness of risk strategies throughout the life of the project 8 Information Technology Project Management, Fifth Edition, Copyright 2007

9. Risk Identification Risk identification is the process of understanding what potential events might hurt … a particular project Risk identification tools and techniques include: Brainstorming The Delphi Technique Interviewing Strengths, Weaknesses, Opportunities, and Threats (SWOT) analysis 9 Information Technology Project Management, Fifth Edition, Copyright 2007

10. Brainstorming Call your development team to the meeting Have an intelligent discussion re the project risks Facilitate the discussion: Collect information from external resources (experts, books, Internet) Collect the ideas and categorize them Prioritize risk factors 10

11. Delphi Technique During the group discussion some negative effects may occur, e.g. someone opinions prevail the other people opinions Delphi technique help eliminating negative effects Is based on a special procedure of interviewing experts Details are out of scope 11

12. Interviewing Another most commonly used technique, after brainstorming Talk to experts Talk to ones who have completed similar projects recently Before interviewing, have an initial list of questions but be prepared to change it during the interview 12

13. SWOT Analysis In terms of the project, discuss Strengths, Weaknesses, Opportunities, and Threats (S, W, O, and T) Keep focused on the project objectives and scope Watch for threats from external entities (other projects, contractors, vendors, etc) 13

14. SWOT analysis Examples: S – we have already antivirus protection installed once W – we have no experience with antivirus software deployment O – this vendor offers us a significant discount T – the vendor is at the acquisition, who knows what may happen 14

15. Broad Categories of Risk Market risk Financial risk Technology risk People risk Structure/process risk Network security projects are most susceptible to financial and technology risks, however other kinds of security projects are susceptible to all categories of risks 15

16. Risk Register The main output of the risk identification process is a list of identified risks and other information needed to begin creating a risk register A risk register is: A document that contains the results of various risk management processes and that is often displayed in a table or spreadsheet format A tool for documenting potential risk events and related information 16 Information Technology Project Management, Fifth Edition, Copyright 2007

17. Risks Evaluation Assess the likelihood and impact of identified risks to determine their magnitude and priority Risk evaluation tools and techniques include: Probability/impact matrices The Top Ten Risk Item Tracking Expert judgment 17 Information Technology Project Management, Fifth Edition, Copyright 2007

18. Probability/impact matrices The chart built to show correlation between probability and impact 18 Risk6Risk9Risks 1 and 4 Risks 3 and 7Risks 2, 5, and 11 Risks 8 and 10Risk 12 ProbabilItyProbabilIty Impact High Medium Low MediumHigh

19. Top Ten Risk Item Tracking Top Ten Risk Item Tracking is a qualitative risk analysis tool that helps to identify risks and maintain an awareness of risks throughout the life of a project Establish a periodic review of the top ten project risk items List the current ranking, previous ranking, number of times the risk appears on the list over a period of time, and a summary of progress made in resolving the risk item 19 Information Technology Project Management, Fifth Edition, Copyright 2007

20. Risk Response Planning After identifying and quantifying risks, you must decide how to respond to them Four main response strategies for negative risks: Risk avoidance You may decide to avoid doing with a new vendor Risk acceptance You accept a new vendor Risk transference You apply a 3 rd party service instead of doing your own business Risk mitigation You find the way to address and control risk 20

21. Table 11-7: General Risk Mitigation Strategies for Technical, Cost, and Schedule Risks 21 Information Technology Project Management, Fifth Edition, Copyright 2007 CPM – critical path method

22. Risk Management Plan Create the plan at the project planning stage Generally the plan contains: Methodology Roles and responsibilities Budget and schedule Risk categories Risk probability and impact Stakeholders tolerance Tracking Risk documentation 22

23. Sample forms 23

24. Risk Monitoring and Control Involves executing the risk management process to respond to risk events Workarounds are unplanned responses to risk events that must be done when there are no contingency plans Main outputs of risk monitoring and control are: Requested changes Recommended corrective and preventive actions Updates to the risk register, project management plan, and organizational process assets 24 Information Technology Project Management, Fifth Edition, Copyright 2007

25. Results of Good Project Risk Management Unlike crisis management, good project risk management often goes unnoticed Well-run projects appear to be almost effortless, but a lot of work goes into running a project well Project managers should strive to make their jobs look easy to reflect the results of well-run projects 25 Information Technology Project Management, Fifth Edition, Copyright 2007

26. Risks management for security projects Overall methodology is the same Risk factors to consider first of all: People (not acceptance of new security mechanisms) Technology (new technology brings not only resolution of the existing security issues but it brings also other security issues) 26